JavaMail Reference Implementation

No more ‘unable to find valid certification path to requested target’

(This page was rescued from Andreas Sterbenz’s blog on blogs.sun.com,
which no longer exists.)

Monday Oct 09, 2006

No more ‘unable to find valid certification path to requested target’

Some of you may be familiar with the (not very user friendly) exception
message javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target when trying to open
an SSL connection to a host using JSSE. What this usually means is that
the server is using a test certificate (possibly generated using
keytool) rather than a certificate from a well known commercial
Certification Authority such as Verisign or GoDaddy. Web browsers
display warning dialogs in this case, but since JSSE cannot assume an
interactive user is present it just throws an exception by default.

Certificate validation is a very important part of SSL security, but I
am not writing this entry to explain the details. If you are
interested, you can start by reading the Wikipedia blurb. I am writing
this entry to show a simple way to talk to that host with the test
certificate, if you really want to.

Basically, you want to add the server’s certificate to the KeyStore
with your trusted certificates. There are any number of ways to achieve
that, but a simple solution is to compile and run
this program
as java InstallCert hostname, for example

What happened was that the program opened a connection to the specified
host and started an SSL handshake. It printed the exception stack trace
of the error that occured and shows you the certificates used by the
server. Now it prompts you for the certificate you want to add to your
trusted KeyStore. You should only do this if you are sure that this is
the certificate of the trusted host you want to connect to. You may
want to check the MD5 and SHA1 certificate fingerprints against a
fingerprint generated on the server (e.g. using keytool) to make sure
it is the correct certificate.

If you’ve changed your mind, enter ‘q’. If you really want to add the
certificate, enter ‘1’. (You could also add a CA certificate by
entering a different certificate, but you usually don’t want to do
that’). Once you have made your choice, the program will print the
following:

It displayed the complete certificate and then added it to a Java
KeyStore ‘jssecacerts’ in the current directory. To use it in your
program, either configure JSSE to use it as its trust store (as
explained in the documentation) or copy it into your
$JAVA_HOME/jre/lib/security directory. If you want all Java
applications to recognize the certificate as trusted and not just JSSE,
you could also overwrite the cacerts file in that directory.

After all that, JSSE will be able to complete a handshake with the
host, which you can verify by running the program again: